Executive order to raise “volume, quality of cyber threat information”

Obama authorizes new cooperation between NIST and critical infrastructure firms.

Just before issuing the 2013 State of the Union address, President Barack Obama signed an executive order on cybersecurity that created a series of “best practices” between “critical infrastructure” corporations and the National Institute of Standards and Technology (NIST).

“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with US private sector entities so that these entities may better protect and defend themselves against cyber threats,” the order states.

According to The Hill, a draft version of this framework will be due in 240 days and the final will be published within a year from now.

The order comes after the Cyber Intelligence Sharing and Protection Act (CISPA) failed in Congress last year—although it, too, is poised for a comeback. While many civil libertarians were concerned that CISPA did not have adequate privacy protections, some have shown some cautious optimism about the new order.

"The executive order says that privacy must be built into the government's cybersecurity plans and activities, not as an afterthought but rather as part of the design," said Center for Democracy and Technology President Leslie Harris in a statement.

"By explicitly requiring adherence to fair information practice principles, the order adopts a comprehensive formulation of privacy. The annual privacy assessment, properly done, can create accountability to the public for government actions taken in the name of cybersecurity."

Others, including the American Civil Liberties Union, agreed.

"The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties," Michelle Richardson, a legislative counsel for the ACLU, added in a statement. "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."

It's important to note that this is an executive order. As such, privacy considerations built into it are there at the whim of the executive. The next President (or this one) can remove privacy restrictions as (s)he sees fit. It would be much better to have an actual law--although I don't have any actual faith that Congress would do a better job.

I am not sure that will be of much help, after reading the white paper from northorp grumman over china's information warfare capabilities and their involvement to the hackers community to infiltrate targets of interests, and the recent rise of "chinese" hacks/intrusions.

I like how President Obama mentioned some science and technology research objectives tonight.

On the other hand, I'm very skeptical of NIST ever since they helped to whitewash the WTC7 collapse.

Yes, in spite of the "9/11 truther" stigma that comes with daring to question the official account of the 9/11 attacks, I still hold the opinion that true patriots should not be satisfied until a valid explanation of the events of that day is presented, and those responsible (in addition to the 19 hijackers) are held accountable.

While some may doubt the source, at least here is one citation to support my comment:

By all means- Go after the Chinese or whatever force is trying to "attack" the infrastructure. But don't mess with my privacy and don't go after the whistleblowers who are actually reporting on government abuse. I am afraid that this is just another excuse for more unconstitutional, warrantless wiretapping and surveillance, though. I hope I am proven wrong, and that this is nothing more than what it claims to be (but I'm not making making any bets).

Yes, in spite of the "9/11 truther" stigma that comes with daring to question the official account of the 9/11 attacks, I still hold the opinion that true patriots should not be satisfied until a valid explanation of the events of that day is presented, and those responsible (in addition to the 19 hijackers) are held accountable.

While some may doubt the source, at least here is one citation to support my comment:

I don't think that asking for a proper investigation and scientific explanation should ever be cause for stigma. Unfortunately, too many people roll their eyes and dismiss a perfectly valid concern because it's just very hard for them to accept that our government would tell such big lies, or conceal important information about this tragedy in our recent history. So, they just dismiss it away. The truth (whatever it is) is the truth, nevertheless.

...a draft version of this framework will be due in 240 days and the final will be published within a year from now

The final draft will be published a year from now? That means that we should expect the revision of the first draft in 2014. An RFC by 2016 and a Congressional vote in 2020. This is assuming they don't get distracted with issues that take precedence over national security. You know, reeeeally important stuff such as getting re-elected.

If this were a draft resolution authorizing a raise for all members of Congress the vote would be scheduled for last week, first thing in the morning. Or earlier.

Sharing and collecting information such as the way the FAA and the NTSB does it is I think a pretty good way to do it I think: breaches are seriously analyzed and potential problems are identified, practical solutions are found and *everyone* applies the appropriate fixes.

My issue with this EO is the tendency for the government to adopt by rules/regulation what might be best practices at that time but then never updates them as conditions change. The South Carolina tax database was fully compliant with obsolete IRS security protocols which allowed storing SSN's as plain text.

I'm already swamped with too much info from the government, with no context and no sense of prioritization. I see something useful now and then, but I don't have time to pick through everything to find it. I get a better payoff from my time investment by monitoring public sources.

Best practice: If it's important, run it on linux, and don't give it any form of net access.

This isn't a Linux/Windows problem, this is a SCADA problem that they are ultimately addressing. In the old days SCADAs were simply hooked to dumb terminals where the administrator physically had to be located at. As we have expanded, it has often at some point, touched the enterprise ethernet network for centralized management -- so you're second point is dead on.

Even though their enterprise networks are "hardened" and "segregated", if there is any point of ingress or egress of information from the public domain, the risk will be there. I attended an information warfare summit where a white hat was able to generate a listing of SCADA systems (in a matter of seconds) open to the internet, it was ludicrous to see.

NIST has already provided some standards that are used by the private sector, some of which specifically address SCADA systems. This will hopefully increase dialogue in bettering these standards. As someone had mentioned, so long as privacy concerns are addressed and wording is not too ambiguous (that's a tall order) this would better be served in the form of law for critical infrastructure providers as there is no bite to the order in itself. However, I do believe there are already regulatory requirements for many of the Nation's critical infrastructure providers if they fail to meet standard baselines established law -- so that may be unnecessary if those truly exist.

Either way, if a law or an executive order is in place that allows for even more personal liberties to be compromised, it's probably not worth it.